Re: IPSEC PROBLEM...HELP

From: michael robertson (michael_w_2ca@xxxxxxxx)
Date: Sat Jan 12 2002 - 19:58:02 GMT-3

• Next message: Robb Baer: "RE: Other 'Improving Security on Cisco Routers'"
• Previous message: Cisco: "Token Ring cabling question"
• Maybe in reply to: zapeta zape: "IPSEC PROBLEM...HELP"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

   
Hi, there,

>From what I can see that you use a wrong crypto map on
R2, it should be Kaier or Kaiser ( your typo here)
also you put this in wrong interface. you should not
put crypto yahoo on R2's interface

--- tom cheung <tkc9789@hotmail.com> wrote:
> I believe ACL 101 needs to be modified.
> You're using GRE tunnel, the permit statement should
> be
> permit gre host x.x.x.x gre host y.y.y.y
> where x.x.x.x and y.y.y.y
> are the physical end-points not the tunnel address.
>
>
> >From: "zapeta zape" <zzapeta@hotmail.com>
> >Reply-To: "zapeta zape" <zzapeta@hotmail.com>
> >To: ccielab@groupstudy.com
> >Subject: IPSEC PROBLEM...HELP
> >Date: Sat, 12 Jan 2002 10:02:49 -0500
> >
> >Hi,
> >I spent all day yesterday try to set up ipsec.
> >I have 4 routers running ISIS over frame relay, I
> can ping all the way
> >through, ISIS is working fine.
> >
> >r8------r9----r7 -------r2
> >R9 is the hub and we have 3 spokes bythe way R7 is
> connected to r2 via
> >ethernet
> >
> >These are the config
> >
> >r8
> >crypto isakmp policy 1
> >hash md5
> >authentication pre-share
> >lifetime 500
> >crypto isakmp key cisco address 172.16.104.1
> >!
> >!
> >crypto ipsec transform-set doom esp-des
> >!
> >!
> >crypto map yahoo local-address Loopback0
> >crypto map yahoo 10 ipsec-isakmp
> >set peer 172.16.104.1
> >set transform-set doom
> >match address 101
> >!
> >!
> >!
> >!
> >interface Loopback0
> >ip address 172.16.102.1 255.255.255.0
> >no ip directed-broadcast
> >ip router isis
> >!
> >
> >!
> >interface Tunnel0
> >ip address 10.1.1.1 255.255.255.0
> >no ip directed-broadcast
> >tunnel source 172.16.102.1
> >tunnel destination 172.16.104.1
> >crypto map yahoo
> >!
> >
> >!
> >interface BRI0/0
> >ip address 172.16.12.2 255.255.255.0
> >no ip directed-broadcast
> >encapsulation ppp
> >ip ospf demand-circuit
> >ip ospf database-filter all out
> >shutdown
> >dialer idle-timeout 40
> >dialer map ipx 12.0001.0001.0001 name r9 broadcast
> 7704324217
> >dialer-group 1
> >isdn switch-type basic-ni
> >isdn spid1 77043242400101 4324240
> >no cdp enable
> >ppp authentication chap
> >!
> >interface Serial0/0
> >ip address 172.16.123.2 255.255.255.0
> >no ip directed-broadcast
> >ip router isis
> >encapsulation frame-relay
> >ip ospf network point-to-multipoint
> >no ip mroute-cache
> >isis circuit-type level-1
> >frame-relay map clns 809 broadcast
> >frame-relay map ip 172.16.123.1 809 broadcast
> >frame-relay map ip 172.16.123.2 809 broadcast
> >frame-relay map ip 172.16.123.3 809 broadcast
> >frame-relay lmi-type cisco
> >crypto map yahoo
> >
> >!
> >router isis
> >net 49.0001.0002.0002.0002.00
> >!
> >ip classless
> >!
> >access-list 101 permit ip host 10.1.1.1 host
> 10.1.1.2
> >
> >
> >
> >r2
> >clns routing
> >!
> >!
> >crypto isakmp policy 1
> >hash md5
> >authentication pre-share
> >lifetime 500
> >crypto isakmp key cisco address 172.16.102.1
> >!
> >!
> >crypto ipsec transform-set doom esp-des
> >!
> >!
> >crypto map kaier local-address Loopback0
> >crypto map kaiser 10 ipsec-isakmp
> >set peer 172.16.102.1
> >set transform-set doom
> >match address 101
> >!
> >!
> >!
> >interface Loopback0
> >ip address 172.16.104.1 255.255.255.0
> >no ip directed-broadcast
> >ip router isis
> >
> >!
> >interface Tunnel0
> >ip address 10.1.1.2 255.255.255.0
> >no ip directed-broadcast
> >tunnel source 172.16.104.1
> >tunnel destination 172.16.102.1
> >crypto map yahoo
> >!
> >interface Ethernet0
> >ip address 172.16.43.4 255.255.255.0
> >no ip directed-broadcast
> >ip router isis
> >isis circuit-type level-1
> >crypto map yahoo
> >!
> >interface Serial0
> >ip address 172.16.14.4 255.255.255.0
> >no ip directed-broadcast
> >ip router isis
> >encapsulation frame-relay
> >no ip mroute-cache
> >frame-relay map clns 209 broadcast
> >frame-relay map ip 172.16.14.1 209 broadcast
> >frame-relay map ip 172.16.14.4 209 broadcast
> >crypto map yahoo
> >!
> >
> >router isis
> >net 49.0002.0004.0004.0004.00
> >!
> >ip classless
> >!
> >access-list 101 permit ip host 10.1.1.2 host
> 10.1.1.1
> >
> >When I do deb crypto IPsec on r8 this is what I
> get:
> >
> >ar 1 00:01:55: IPSEC(key_engine): got a queue
> event...
> >*Mar 1 00:01:55: IPSEC(key_engine_delete_sas):
> rec'd delete notify from
> >ISAKMP
> >*Mar 1 00:01:55: IPSEC(key_engine_delete_sas):
> delete all SAs shared with
> >172.16.104.1
> >r8#
> >*Mar 1 00:02:04: IPSEC(key_engine): request timer
> fired: count = 1,
> > (identity) local= 172.16.102.1, remote=
> 172.16.104.1,
> > local_proxy= 10.1.1.1/255.255.255.255/0/0
> (type=1),
> > remote_proxy= 10.1.1.2/255.255.255.255/0/0
> (type=1)
> >*Mar 1 00:02:04: IPSEC(sa_request): ,
> > (key eng. msg.) src= 172.16.102.1, dest=
> 172.16.104.1,
> > src_proxy= 10.1.1.1/255.255.255.255/0/0
> (type=1),
> > dest_proxy= 10.1.1.2/255.255.255.255/0/0
> (type=1),
> > protocol= ESP, transform= esp-des ,
> > lifedur= 3600s and 4608000kb,
> > spi= 0x0(0), conn_id= 0, keysize= 0, flags=
> 0x4004
> >*Mar 1 00:02:05: IPSEC(key_engine): got a queue
> event...
> >*Mar 1 00:02:05: IPSEC(spi_response): getting spi
> 373362238
=== message truncated ===

• Next message: Robb Baer: "RE: Other 'Improving Security on Cisco Routers'"
• Previous message: Cisco: "Token Ring cabling question"
• Maybe in reply to: zapeta zape: "IPSEC PROBLEM...HELP"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Thu Jun 13 2002 - 10:56:26 GMT-3